add bucket_policy_document

CHANGELOG.md

@@ -31,3 +31,6 @@
 
 * v2.1.0 -- 20210511
   - add kms_policy to be used for custom kms key policy and kms_admin_roles
+
+* v2.2.0 -- 20210520
+  - add bucket_policy_document to be used for additional bucket policy merged with the default

common/README.md

@@ -26,6 +26,7 @@ No modules.
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -42,6 +43,7 @@ No modules.
 | <a name="input_allowed_endpoints"></a> [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
 | <a name="input_bucket_folders"></a> [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
+| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
 | <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored. | `string` | `""` | no |

common/resources.tf

@@ -7,9 +7,10 @@ locals {
 }
 
 locals {
-  base_name   = var.bucket_name
-  name        = replace(var.bucket_name, local._prefixes["s3"], "")
-  bucket_name = format("%s%s", local._prefixes["s3"], local.name)
+  base_name              = var.bucket_name
+  name                   = replace(var.bucket_name, local._prefixes["s3"], "")
+  bucket_name            = format("%s%s", local._prefixes["s3"], local.name)
+  bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json
 
   # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null
   kms_key_arn  = aws_kms_key.key.arn
@@ -182,8 +183,9 @@ data "aws_iam_policy_document" "this" {
 # apply policy to bucket and public access block policy to bucket
 #---
 resource "aws_s3_bucket_policy" "policy" {
-  bucket     = aws_s3_bucket.this.bucket
-  policy     = data.aws_iam_policy_document.this.json
+  bucket = aws_s3_bucket.this.bucket
+  #  policy     = data.aws_iam_policy_document.this.json
+  policy     = data.aws_iam_policy_document.bucket_policy_combined.json
   depends_on = [null_resource.policy_delay]
 }
 
@@ -259,4 +261,11 @@ data "aws_iam_policy_document" "key_policy_combined" {
   ]
 }
 
+data "aws_iam_policy_document" "bucket_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.this.json,
+    local.bucket_policy_document
+  ]
+}
+
 data "aws_iam_policy_document" "empty" {}

common/variables.tf

@@ -9,6 +9,12 @@ variable "bucket_folders" {
   default     = []
 }
 
+variable "bucket_policy_document" {
+  description = "IAM Policy document describing additiona policy to be attached to the bucket beyond the default"
+  type        = string
+  default     = ""
+}
+
 variable "kms_key_id" {
   description = "AWS KMS Key ID (one per bucket).  This is currently ignored."
   type        = string

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.1.0"
+  _module_version = "2.2.0"
 }

standard/README.md

@@ -18,6 +18,7 @@ module "mybucket" {
 
   ## optional
   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+  # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 }
 
 data "aws_iam_policy_document" "mypolicy" {
@@ -34,6 +35,11 @@ If `kms_policy_document` is provided it needs to be a valid IAM policy as would
 such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
 to provide variables granting read and write access to the key.
 
+If `bucket_policy_document` is provided it needs to be a valid IAM policy as would apply a bucket.
+This will be merged with the default bucket policy which requires TLS and, via other settings,
+optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
+and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+
 ## Requirements
 
 No requirements.
@@ -62,6 +68,7 @@ No modules.
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -78,6 +85,7 @@ No modules.
 | <a name="input_allowed_endpoints"></a> [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
 | <a name="input_bucket_folders"></a> [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
+| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |

standard/main.tf

@@ -19,6 +19,7 @@
 *
 *   ## optional
 *   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+*   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 * }
 *
 * data "aws_iam_policy_document" "mypolicy" {
@@ -34,6 +35,11 @@
 * If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
 * such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
 * to provide variables granting read and write access to the key.
+*
+* If `bucket_policy_document` is provided it needs to be a valid IAM policy as would apply a bucket.
+* This will be merged with the default bucket policy which requires TLS and, via other settings,
+* optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
+* and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
 */
 
 locals {

title26/README.md

@@ -19,6 +19,7 @@ module "mybucket" {
 
   ## optional
   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+  # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 }
 
 data "aws_iam_policy_document" "mypolicy" {
@@ -39,6 +40,11 @@ If `kms_policy_document` is provided it needs to be a valid IAM policy as would
 such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
 to provide variables granting read and write access to the key.
 
+If `bucket_policy_document` is provided it needs to be a valid IAM policy as would apply a bucket.
+This will be merged with the default bucket policy which requires TLS and, via other settings,
+optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
+and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+
 ## Requirements
 
 No requirements.
@@ -67,6 +73,7 @@ No modules.
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -83,6 +90,7 @@ No modules.
 | <a name="input_allowed_endpoints"></a> [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
 | <a name="input_bucket_folders"></a> [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
+| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br>  "title26"<br>]</pre> | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |

title26/main.tf

@@ -20,6 +20,7 @@
 *
 *   ## optional
 *   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+*   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 * }
 *
 * data "aws_iam_policy_document" "mypolicy" {
@@ -39,6 +40,11 @@
 * If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
 * such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
 * to provide variables granting read and write access to the key.
+*
+* If `bucket_policy_document` is provided it needs to be a valid IAM policy as would apply a bucket.
+* This will be merged with the default bucket policy which requires TLS and, via other settings,
+* optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
+* and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
 */
 
 locals {